Finding the keylogger hooks, part 3

Keyboard Shortcuts

In Part 2 we performed call stack walking on the New Thread Stack so we could see what the svchost process was doing when we performed key presses. In Part 3 we continue our investigation by finding more proof that this svchost process is malicious. We look at the CPU Usage sampled chart and perform call stack walking on the key logger process during the time it was active. We look at what calls were made after seeing UserCallbackDispatcher which results in KBDLLHOOKSTRUCT coming in.

- [Instructor] We have found the key logger…being disguised as a Windows background process…called svchost.…We came to this suspicion…by inspecting the thread activity…and seeing that this svchost process…only has thread activity and lots of it…while we are pressing down on the keyboard in Notepad.…And then it goes away.…We dragged the data table down…and revealed a graph to make it more visible.…We saw this right here.…This thread comes in and records us.…When we inspected the call stack,…we saw calls to KBDLLHOOKSTRUCT,…CALLNEXTHOOK, and CALLHOOK2.…

Let's confirm this,…by noting down the process ID of this svchost.…We do this because Windows has multiple svchost processes.…So, we need to keep track of the process ID…which is shown in the parenthesis next to each process.…So, svchost with process ID 9644 is our suspected keylogger.…Let's go over to the left hand side…and drag and drop the chart CPU Usage Sampled…over to the top of this graph.…This will stack both chart windows…on top of each other,…and is great for making correlations…

Resume Transcript Auto-Scroll

Author

Released

9/8/2016

Is your PC running slow? The answer might be more nefarious than you think. Spyware such as keyloggers can often go undetected by antivirus software. Windows Performance Toolkit offers two powerful tools for identifying and gathering evidence of keyloggers: the Recorder, used to record system events, and the Analyzer, used to inspect those events. Join Thomas Pantels as he explains what a keylogger is and demonstrates how it functions and hides in plain sight. Using Windows Performance Toolkit, he shows how to set up a profiling environment to gather evidence and find the keylogger "hooks." Once you've traced the keylogger, you can delete the application and get your computer back on track.